How to effectively destroy 'session' in Java Servlet?

Asked 20/12, 2012 at 0:55 Answered 14/3 at 20:13

The Servlet I'm working has a variable session.

I've tried session.invalidate();, this seem to have destroyed session but when I do a redirect like so response.sendRedirect("restanes.jsp");, it gives me HTTP Status 500 error with this line:

java.lang.IllegalStateException: getAttribute: Session already invalidated

This is expected since I was trying to destroy the session.

But why is the page unable to redirect? On the same page elsewhere I've redirected successfully.

How can I destroy session and redirect successfully?

Code snippet:

if(request.getParameter("logout") != null ){  
        session.invalidate();
        response.sendRedirect("restanes.jsp");
}

Update: All I needed to do was return; after response.sendRedirect("restanes.jsp");. Sincere thanks to BalusC.

Slone answered 20/12, 2012 at 0:55 Comment(7)

The 500 error is most likely produced by the page after the redirect (restanes.jsp). Can you get more information from the logs? – Indo 20/12, 2012 at 1:2

The presence/lack of a session should not impact redirection. – Skirt 20/12, 2012 at 1:9

@Indo if I remove session.invalidate(); the redirect bit works fine. When I put back that line, the error also points to a session variable that I had set earlier. – Slone 20/12, 2012 at 1:21

Are you sure the page you are redirecting to doesn't require information from the session you invalidated? – Callen 20/12, 2012 at 1:26

@Callen Well.. it doesn't. That's because it has validation. If there is no session it shows different behaviour. Just now I tried redirecting to a page that does not have session at all and still same problem. – Slone 20/12, 2012 at 1:31

What if it has a new session that hasn't been initialized (and is missing something the old session had)? – Springs 20/12, 2012 at 1:35

@MrGhimire - but there is a session. Its just that it is invalid. – Callen 20/12, 2012 at 1:46

Using sendRedirect() instead of forward() is indeed the solution. But you need to make sure you return from the method after sending the redirect.

if (request.getParameter("logout") != null) {  
    session.invalidate();
    response.sendRedirect("restanes.jsp");
    return; // <--- Here.
}

Otherwise the code will continue to run and hit some session.getAttribute() method further down in the block causing exactly this exception. At least, that's the most likely cause of the problem described so far and based on the fact that this is a pretty common starter's mistake. See also among others java.lang.IllegalStateException: Cannot (forward | sendRedirect | create session) after response has been committed.

Storeroom answered 20/12, 2012 at 12:55 Comment(3)

Quite possibly this is really what's going on - makes more sense in any case. If OP confirms then I will upvote and delete my answer. – Callen 20/12, 2012 at 14:23

@Storeroom I'm PHP guy and was expecting redirect to work perfectly (without having to return). I've tested with return; and works. Humble thanks. – Slone 20/12, 2012 at 23:29

You're welcome. Note that the same applies to PHP. You need to put an exit; after header('Location: foo.php'); inside an if block to prevent the remnant of code to run (although this may not necessarily harm in PHP; the webbrowser would ignore the unnecessarily retrieved HTML anyway). – Storeroom 20/12, 2012 at 23:37

Your code is okay

if(request.getParameter("logout") != null )
{  
  session.invalidate();
  response.sendRedirect("restanes.jsp");
}

but make sure the redirecting page does not contain any session attributes. 500 internal error coming from "restanes.jsp" page. work out with the redirected page and session activity.

Giovannigip answered 19/12, 2013 at 5:50 Comment(1)

As the OP and BalusC have pointed out; his (not sure of gender based on name) code is not OK. It needs the fix given in BalusC's answer. – Particularity 23/1, 2018 at 6:21

-1

Here is another thing you can do if session.invalidate() does not work. Just use the System.out.flush() after session.invalidate():

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    
    HttpSession session = req.getSession();
    session.invalidate();

    RequestDispatcher rd = req.getRequestDispatcher("/index.html");
    rd.forward(req, resp);
    
    System.out.flush();
}

Thies answered 14/3 at 20:13 Comment(0)

Recommended topics

Hot tags